Preemption Budget for Multi-Vehicle Fleet Operations

Domain Context

Mixed-fleet autonomous operations are no longer a research scenario. Autonomous freight platoons traverse interstate corridors under mixed-state regulatory regimes; urban robotaxi fleets in Phoenix, San Francisco, Austin, and Shenzhen operate hundreds to thousands of vehicles under centralized dispatch; last-mile delivery fleets and defense-vehicle formations introduce additional coordination layers. Each of these deployments routinely encounters conditions in which a single vehicle's locally-optimal decision diverges from the fleet-coordination optimum, and in which both diverge from what an emergency responder, traffic-control authority, or incident commander would direct.

The regulatory substrate for resolving these divergences is emerging unevenly. The U.S. National Incident Management System (NIMS) and its companion Incident Command System (ICS) describe how preemption authority flows from incident commanders downward through credentialed responder roles, but NIMS was authored against human-driven vehicles and treats preemption as an out-of-band human directive. State-level emergency-vehicle preemption statutes (covering signal preemption for fire and EMS at intersections, and, increasingly, lane-clearance protocols for autonomous traffic) are spreading, but they do not specify how an autonomous fleet operator should expose preemption surfaces to external authorities. ISO 22737 (low-speed automated driving) and SAE J3216 (cooperative driving automation) gesture at fleet-level coordination but leave authority composition unspecified.

The result is that fleet operators today resolve vehicle-versus-fleet-versus-external authority conflicts in proprietary code paths, and demonstrate to regulators after the fact that the resolution behaved sensibly. This is exactly the inversion of architectural support that mature safety-critical domains require.

Architectural Requirement

A fleet-grade autonomy architecture must be able to answer four questions at any moment, for any vehicle, with structural rather than reconstructed evidence. First: what authority is currently entitled to override this vehicle's local decisions, and within what bounds? Second: when an override is exercised, who exercised it, against which credential, for which declared purpose, and what residual authority remains? Third: when authorities conflict — a fleet dispatcher routes around an incident at the same moment a fire-department preemption signal arrives — which authority prevails, by what rule, and what record does the resolution leave? Fourth: when a vehicle declines an override (because the requested action would violate a higher-ordered constraint such as harm minimization or jurisdictional law), what does the refusal look like to the requesting authority, and how is it audited?

These are not implementation conveniences. They are the operational shape of NIMS-style command authority, of ICAO-style composite admissibility, and of forthcoming regulatory frameworks for mixed autonomous fleets. A vehicle whose preemption surface is implicit cannot be commanded by an incident commander; a fleet whose coordination authority is implicit cannot be audited by a regulator; an external authority whose credential is unverifiable cannot exercise preemption legitimately.

Why Procedural Compliance Fails

The procedural-compliance posture — operator runbooks, dispatcher SOPs, incident-response playbooks, and post-incident reconstruction from telemetry — is structurally unable to carry the authority-composition load. Runbooks describe how humans should behave; they do not constrain how the autonomy stack actually composes inputs from the vehicle's planner, the fleet operator's coordination layer, and an external preemption signal. Telemetry reconstruction can show what the vehicle did, but it cannot demonstrate that an authority boundary was respected at the moment of decision rather than merely consistent in retrospect.

The failure mode is most visible in conflict scenarios. Suppose a robotaxi has been routed by its fleet operator to clear a lane for a returning vehicle, and simultaneously receives a credentialed emergency-vehicle preemption signal directing it to a different lane. Suppose further that the local planner, evaluating a near-side cyclist, prefers a third action. A procedural posture produces three runbook clauses that gesture at priority and a developer who has implemented an if-elif-else somewhere in the planning stack. After an incident, the regulator must reconstruct, from logs, both what each authority requested and why the implementation chose as it did. The reconstruction is brittle, the audit is contested, and the operator's regulatory standing depends on the legibility of code paths that were not written for legibility.

Worse, procedural posture cannot handle the authority-budget question — the question of how much override capacity remains for a given external authority over a given operational window. Emergency preemption is not unlimited; misuse is itself a regulated harm. Without an architectural budget primitive, every preemption is exercised in isolation, and abuse patterns emerge only through retrospective statistical review.

What the AQ Primitive Provides

Governed actuation in the Adaptive Query model treats actuation as a credentialed, mode-graduated, post-verified operation. For fleet contexts the relevant graduation is continue / defer / refuse / partial: a vehicle facing an external override request evaluates the request against its policy stack and either continues with the requested action, defers (executes a partial holding pattern while requesting clarification), refuses (with credentialed refusal evidence), or executes a partial action that satisfies the override within a narrower envelope than requested. Each branch is a first-class architectural event, not an implementation accident.

The preemption-budget construct sits on top of this graduation. Each vehicle, at deployment time, is provisioned with a policy-signed envelope describing which external authorities may preempt which classes of decision, under which conditions, and with what cumulative budget over what window. A municipal fire authority's credential might carry a high preemption budget for lane-clearance decisions during an active incident declaration, no preemption budget for routing decisions outside an incident, and a metered budget for signal-overlap requests. A fleet operator's own coordination credential carries a different envelope: high authority for routing, bounded authority for speed envelopes, no authority over harm-minimization ordering. The vehicle's local planner retains residual authority that no external signal can override — the irreducible safety floor.

Each preemption attempt produces a credentialed event: who requested, against which credential, what mode the vehicle entered, what budget was consumed, what budget remains. Post-actuation verification confirms that the vehicle's resulting trajectory was within the envelope the credential authorized; reversibility evaluation flags decisions whose downstream consequences exceed what the credential's budget should allow and triggers escalation rather than silent commitment. Conflicting simultaneous preemptions resolve through declared precedence rules rather than implementation accident.

Compliance Mapping

The primitive maps cleanly onto the regulatory frameworks that fleet operations actually answer to. Against NIMS and ICS, the credentialed-authority envelope models the chain of incident command directly: an incident commander's credential carries authority bounded to the incident's declared scope and duration, and the vehicle's record of credential, budget consumption, and residual authority is exactly what an after-action review requires. Against state emergency-vehicle preemption statutes, the policy envelope encodes which preemption classes are recognized in which jurisdictions, and the vehicle's refusal record (when, e.g., a credential is presented in a jurisdiction that does not authorize that authority) is itself the audit artifact.

Against ISO 22737 and SAE J3216, the fleet-coordination credential occupies the cooperative-driving role those standards anticipate but do not architecturally specify, and the vehicle's residual safety floor preserves the standards' requirement that coordination not erode minimum-risk maneuver capability. Against forthcoming UNECE work on cooperative ITS and against the EU's emerging mixed-fleet framework under the AI Act's high-risk classification, the credential-and-budget pairing supplies the auditable authority surface those instruments require but do not implement.

For defense-vehicle formations, the same primitive supports DoD Directive 3000.09 (autonomy in weapon systems) constraints on appropriate levels of human judgment by exposing the override surface as a credentialed, budgeted authority rather than an open command channel.

Adoption Pathway

Fleet operators do not need to retrofit governed actuation into every vehicle simultaneously to begin realizing benefit. The pathway is incremental. Initial deployment formalizes the credential envelope for a single authority class — typically the fleet operator's own coordination credential, since that authority is already exercised — and produces credentialed events for each coordination action. This alone replaces a substantial fraction of post-incident reconstruction work with structural records.

The second adoption step adds emergency-services credentials, beginning with the highest-volume preemption authorities in the operator's primary jurisdictions. State and municipal emergency-vehicle preemption authorities increasingly publish credentialing schemes; binding the autonomy stack's preemption surface to those schemes converts a regulatory hazard into a regulatory asset. The third step extends the envelope to cross-jurisdictional and cross-fleet authorities — incident commanders for events spanning multiple operators, mutual-aid arrangements, and federal-level directives during declared emergencies. By this stage, the fleet's preemption posture is auditable end-to-end and the operator's regulatory engagement shifts from defending implementation choices to demonstrating envelope conformance.

The cumulative effect is that the operational reality of mixed-fleet autonomy — multiple authorities, conflicting priorities, bounded preemption, and post-hoc accountability — gains a structural home. Governed actuation does not eliminate the conflicts that fleet operators already navigate. It makes the navigation legible.

A secondary but increasingly important benefit of the structured envelope is that abuse and drift become detectable as architectural anomalies rather than as statistical artifacts of post-incident review. A credential whose preemption budget is consumed faster than its policy parameters anticipate produces a structural alert; a coordination authority whose override pattern diverges from its declared envelope is visible at the moment of divergence rather than at the next quarterly safety review. This shifts a class of governance failures — credential misuse, scope creep, and unauthorized authority composition — from forensic discovery to in-band detection, which is the same shift that telemetry-driven aviation safety management produced in the 1990s for traditional flight operations and that the autonomous-fleet domain has yet to make. Operators who adopt the primitive early gain not only certification leverage but also operational leverage over their own authority surface.